Authentication &
Security
Learn how to authenticate your API requests and verify incoming webhooks from our platform.
API Key Authentication
The Engage API uses API keys to authenticate requests. You can view and manage your API keys in the Developer Settings of your workspace.
Your API keys carry many privileges, so be sure to keep them secure! Do not share your secret API keys in publicly accessible areas such as GitHub, client-side code, and so forth.
Request Header
All API requests must include the API key in the Authorization HTTP header:
Authorization: Bearer engage_live_************************Webhook Security
When you register a webhook URL, we will send events as POST requests to your server. To ensure these requests are genuine, each request includes an HMAC signature.
Node.js Verification Example
const crypto = require('crypto');
function verifySignature(payload, signature, secret) {
const hmac = crypto.createHmac('sha256', secret);
const digest = 'sha256=' + hmac.update(payload).digest('hex');
return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(digest));
}IP Whitelisting
For enterprise environments that require inbound firewall rules, please whitelist the following static IP addresses for Engage webhook delivery:
- 3.110.22.141
- 13.233.155.201
- 65.0.18.222
* These IPs are subject to change. We recommend using Signature Verification as the primary security layer.
Security Best Practices
- Rotate your API keys every 90 days or if you suspect a leak.
- Always use HTTPS for your webhook endpoints.
- Validate the webhook signature before processing any data.
- Use Environment Variables to store your keys—never hardcode them.